Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 2663 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Lets Encrypt DST Root CA X3 Issue

LHerzog

Please read this article to fix Web Proxy issues that come up today with some LetsEncrypt sites:

https://support.sophos.com/support/s/article/KB-000042993?language=en_US

Delete the expired CA from the CA store on the XG.

Solved our issues.

You will find the Warning in SYSTEM log, not WebProxy (strange...)

messageid="17917" log_type="Event" log_component="HTTPS" log_subtype="System" dst_ip="xxx.xxx.xxx.xxx" message="HTTPS access is denied due to invalid server certificate. Disable "Block invalid certificates" from "Web -> General Settings -> HTTPS Decryption and Scanning" to access HTTPS site '">https://xxx.xxx.xxx/'" user_agent="Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0" status_code="403" sentbytes="0"

Would'nt this be something for proactive Hotfix installation by Sophos?



This thread was automatically locked due to age.
  • 0

    Hotfixes are not easy nor quick to develop as they require many Q&A processes to be involved. Also HF will mess up build numbers and backup/restore process etc.  Therefore this is not a good solution for such a change. 

    You could remove this CA by using Central Management. Simply remove the DST CA in your group and the Change will be pushed to all firewalls. 

    __________________________________________________________________________________________________________________

Unfiltered HTML